Home / Top Threats November 2018: as if phishers needed more opportunities

Top Threats November 2018: as if phishers needed more opportunities

It’s the fall. As trees shed their leaves, gusts of wind tear at our roofs and Europe gears up for the December shopping spree. Let’s grab a hot cup of coco and take a look at some of the current news on InfoSec threats.

Vulnerabilities galore!

We understand, there’s going to be vulnerabilities, just like tides in the sea. The word “zero-day” doesn’t scare us like it did a few years ago, because there are so many of them. It’s something you get used to. That said, recently there’s been a whole slew of them:

In mid-November, the research team that discovered the Meltdown and Spectre vulnerabilities earlier in 2018, found seven new transient execution attacks, affecting processors from Intel, AMD and ARM. Out of these seven vulnerabilities, two are Meltdown variants and five are variants of Spectre. The question is always: do we panic or shrug our shoulders? We suggest you at least don’t panic, for reasons we already mentioned in January.

There was a zero-day in VirtualBox (a popular, mostly free, virtualization software). It allows attackers to break out of the virtualized environment, and run code on the host, which is the one thing you don’t want to happen. The vulnerability does not depend on the type of operating system and affects all versions of VirtualBox (5.2.20 and prior). VM escape vulnerabilities happen a lot, so no reason to run for cover and panic, but by all means, do patch.

On top of this, a bug in the UX in Gmail created the ability to alter the header and change the “from” field, allowing for completely anonymous e-mails. This could easily be leveraged by an attacker for phishing attacks. The vulnerability was dubbed “ghost” and was possible by inputting the recipient’s email in the “from” header and pair it with a large arbitrary tag, for example < object >, or . After an attacker puts the malformed image data into the front field, the email sender turns blank, therefore appearing to lack a sender / “from”. This was one more opportunity for phishers, on top of the one you’ll read about below.

MFA outage on O365 and Azure

On November 19th, our twitter timelines were taken over by people not getting into their O365 and Azure environments for 8 long hours. A failure in Microsoft Office 365 and Azure Active Directory’s Multi-Factor Authentication (MFA) led to users and admins being locked out. The cause for this outage was an MFA update. Ten days later, the MFA system crashed again, this time for three hours.Obviously, a nuisance, and who knows, for those that needed to perform a critical task under deadline restrictions, a disaster.

Almost half of phishing sites looks legit

Research on phishing shows phishers are increasingly using SSL certificates. Almost half of the researched phishing sites (49%) were actually using “https://” and had the padlock security icon in place. A year ago, phishing sites using https:// was just 25%. Banking fraud victims have been seeing this for years. Banking malware, for example, has the ability to inject extra code in the browser, while the padlock is firmly in place.The “green lock” only tells the user is that the data transmitted between the browser and the site is encrypted. Is doesn’t say anything about the content, or the integrity of the content. The old advice of “look for the lock” is out-of-date.

Irony: WordPress plugin for GDPR compliance allows total site control

The title says it all. While many websites deal with GDPR differently, from blocking access to EU IP space, to more elegant solutions, there is one WordPress GDPR compliance plugin that allowed the website to be open for administrative access, letting attackers upload arbitrary (malicious) plugins.The latest version of the plugin solves this. But the irony in this one remains great.Happy digital transformation efforts to all, stay safe, and let’s catch up next month.